If you use any online services such as Facebook or Google, you may have seen new tools and products relating to your account privacy settings recently, along with a tweak to privacy policies and terms of use.

These changes are driven by new Europe-wide privacy regulations coming into effect in May.

It’s clear that the giants of the online world have to comply with those rules.

What has been less clear is that many, many companies that don’t focus their efforts online may also have to comply.

The new General Data Protection Regulation (“GDPR”) covers collection and processing of “personal data” of EU residents. The new rules replace a twenty-year-old privacy framework that launched at about the time the public Internet did.

The new law reflects the massive growth of online services since then, the growing use of personal consumer data across a wide variety of businesses, and the desire of European regulators to protect their citizens against these increased methods to access and use their data.

GDPR AND EXPANDED MEANING OF “PERSONAL DATA”

The rules apply to any information that identifies or can be used to identify a natural person.

Even if that information cannot identify someone on a standalone basis, it may be considered protected information if it could be used in combination with other information to identify someone.

This goes well beyond name, email address, and credit card number to capture cookie data, IP address, biometric information, location data, and other material not generally considered “personal” in the US.

REACH AND REQUIREMENTS OF GDPR

If your business receives or performs any operations on “personal data” of EU citizens, you may be subject to the new laws, even if all your operations are in the US and even if your connection to the data is passive. (For example, exporting personal data by storing or transmitting it in the cloud on non-EU servers could trigger the law’s requirements.)

In addition, you may become subject to the requirements of the law if your suppliers or customers impose the law’s standards on you by contract in order to protect themselves. The rules impose numerous technical requirements regarding planning and assessment of data collection, security, and use; may require appointment of a Data Privacy Officer; give EU consumers a “bill of rights” regarding how their information is used; and require notice of data breaches within 72 hours.

PENALTIES AND PLANNING

The new rules are designed to increase the reach of the EU regulators, to protect a wider variety of information, and to make non-compliance hurt. The GDPR provides for penalties up to €20 million or 4 percent of global revenue (whichever is higher) for non-compliant handling of EU personal data.

The effort to achieve compliance will require legal, technical, and other resources.

If your company has a website, employs online or email marketing, deals with overseas partners or customers, uses cloud storage or transmission, or otherwise has access to EU personal data, you need to be aware of these rules and their potential impact for you.

Likewise, if your business partners have significant overseas operations such as those listed, you may become subject to the new rules through your relationships. Either way, the potential penalties are serious and the potential for disruption and embarrassment serious.

Proper planning can help you evaluate whether you are subject to the new rules and how to address any gaps in your company.

The continuing fall-out from the Equifax breach reported last month makes great headline fodder, and is really good for Congressional representatives eager to show themselves hard at work protecting voters.

For other businesses, Equifax is going to be a case study — for YEARS — on how not to handle a crisis. Among the reports:

The company’s leadership ignored warning signs of an issue.

The warnings were ignored because of a spat with the vendor that flagged the issue.

The C-suite didn’t inform the board of the known breach – involving HALF of Americans – for three weeks after learning of it.

The company approved stock sales by several insiders after the problems came to light.

Etc. Etc.

In other words: the news keeps getting worse.

For companies on the outside of Equifax, what are the lessons to draw? This is a timely exercise to run through: October is National Cybersecurity Month.

Lock up your information. This is priority one. It is not, however, enough. All locks can be picked. There has to be a behavioral focus as well.

Create a culture that values confidentiality and makes those problems an urgent priority. If your factory shut down, you’d be all over it; an infosec/cyber compromise might be no less urgent. Don’t wait to find out.

Have a response plan that goes into effect upon discovery of a problem. Who steps up, what do they do, what do they say, and to whom? Knowing these things in advance, you will be able to act more quickly, and you will be more sure-footed, if you ever face a problem.

Communicate clearly and timely. Let appropriate stakeholders know when you discover a problem, and be sure the timing, scope, and substance of those communications takes into effect the potential fall-out of the issue. Employees need to hear. The board needs to hear. The C-suite needs to hear. The public may need to hear. What they hear, and when, and in what order, may depend in part on the incident. But you have the power to tell the story at the beginning. If you tell a bad story, or a partial story, you lose control of the narrative.

Security must be a priority from the top down. That is the only way to accomplish #1-4, and that is the biggest lesson of this debacle. It’s clear in hindsight that the company doesn’t have a culture attuned to confidentiality and security. Plenty of people could have made this better, but the collective response — from the outside and after the fact — looks like a big, collective shrug.

In short, cyber and infosec planning cannot be an afterthought: they have to BE your business. And they have to be treated like any operational issue, not like a mere box to check on your list of annual compliance matters. There is no better defense than a good offense. It’s your company: why wouldn’t you protect it? #cyberforgrowth #cyberforbusiness

It’s National Cybersecurity Month. You’d hardly know this momentous occasion was coming: in September of 2017, we kept waking up to headlines about hacks at major outfits such as Equifax, Deloitte, and the SEC.

All these entities “should know better.” They probably had layers and layers of plans in place. Their plans probably aimed at security for the benefit of their third-party constituents. They see the same headlines we all see, their lawyers tell them “you should do this so you don’t face angry consumers.” Their planning focused on liability avoidance.

Cyber planning IS important. The reality for most companies, though, is that the real value of planning is that it allows you to protect your own assets. Most companies will never be the subject of worldwide headlines and consumer class-action suits about a hack of their networks. Hackers routinely penetrate the networks of companies large and small, but the true danger for most companies is not a loss of consumer data. It’s that their own assets may take a hit.

Paying attention to cyber matters will be increasingly important as these major players continue to take very-public hits: it gets harder and harder for even small companies to say, “I never thought it could happen to me.” But the resources directed to information security planning don’t have to be all about network penetration and bells and whistles. They don’t have to be fancy and only capable of implementation with a huge legal, IT and risk management staff. A lot of problems can be avoided by simple process tweaks and employee awareness and training.

Consider the company customer records: they may not have any “personally identifiable information” in them, the loss of which drives the massive breach headlines we now see so routinely. But they probably contain pricing, discount information, volume and tiering plans, sales cycle data, and other material that would make you vulnerable if it got leaked.

Now consider that information in an Excel spreadsheet, not protected by encryption, role-based access, or even a password. How easy would it be for someone to email that outside the company, whether accidentally or on purpose?

Think it doesn’t happen? It does. I’ve had multiple clients face some variant of this spreadsheet email in the last three years. It’s disruptive, it’s expensive, it’s embarrassing, and it’s got the potential to lead to liability. Most importantly, it’s compromising your “secret sauce.” Why wouldn’t you spend some time on planning and training and shoring up a few easy practices to prevent this kind of event?

If you are a small company looking to grow, and looking for a buyer, having your assets protected is important to your value: that’s why you’ve registered your intellectual property, for instance, and put contracts in place to protect it. If you are a company at scale, protecting your assets is about investing in your stable returns.

None of this is expensive or scary or overly “techy.” It’s just good business sense.

If you have any business dealings outside the U.S., you may have heard about shifting data privacy laws in the European Union.

The General Data Protection Regulation (GDPR), the new EU-wide privacy rule, comes into effect in May 2018. Anyone who does business with residents of the EU will have to be cognizant of the GDPR’s provisions and pitfalls.

The EU views privacy as a fundamental human right; it is enshrined that way in the EU constitution. In this way, regulators and citizens of the EU are far more attuned to personal privacy than most Americans. The new privacy rules carry potentially very steep penalties: fines for violations can amount to up to four percent of global revenue or 20 million Euros (whichever is greater).

What Does the GDPR Require?

The GDPR is designed to give EU residents a standard measure of personal electronic privacy protection that has the same basic expectations no matter whether the individual is doing business with a French company, a Japanese company, or an American company. The tenets of the GDPR sound non-controversial: they involve notice, choice, and transparency (among other things).

At a minimum, this probably merits reviewing your privacy and employment policies to ensure that they fall in line with GDPR requirements of telling EU consumers what data you collect about them, what you do with it, and what rights they have to stop you (or to change their minds once they’ve given you their information).

Merely revising your policies and ensuring that you have a way to respond to consumer inquiries is not enough to be fully compliant with the GDPR, but it may be a reasonable approach if your exposure to the market is very limited. That decision should be made in consultation with your lawyer and possibly your cyber insurance carrier so that you can weigh the risks of non-compliance (or partial compliance) against the benefits and costs of compliance.

If you have significant dealings in the EU, you almost certainly need to do more. Reviewing and documenting your company’s practices regarding data collection and use, designing privacy-aware interfaces for new products and services, establishing server locations so as to keep data local: all of these examples may be or become an important part of your GDPR readiness, because minimizing the data maintained on EU consumers and not moving it to jurisdictions that lack the EU’s protections are key policy aims of the GDPR.

Does it Apply to Me?

If you have customers, employees, or even vendors in the EU, and you interact with their personal data in electronic fashion, you may be subject to the GDPR. The rules apply if you offer goods or services to EU residents and/or if you monitor them. Cookies and other common Web tracking devices are considered a form of monitoring.

This has important implications for how you design your online and data flow practices, both consumer-facing and internal. Also, the EU definition of “personal information” is far broader than anything used in the U.S. It means anything that can be used to identify a person, not just specific information about a specific person. IP addresses, for example, are “personal information” within the EU definition – not just tax ID numbers, email addresses, and so forth.

What Should I Do?

The first step for any company is awareness: knowing whether you have dealings with EU residents, and what information you collect and use regarding them, will tell you whether you need to undertake a compliance discussion with your cyber counsel and carrier.

After that, ensuring that your company makes personal privacy a priority, both internally and externally, is high on the GDPR list. Unfortunate happenings like the Equifax and SEC breaches announced in September of 2017, combined with EU suspicion of U.S. electronic surveillance measures, will ensure that U.S. companies have to justify themselves to a skeptical regulator if they ever face their own issues.

The Equifax hack announced on September 7, 2017, is very scary, and a reminder to lock up the company jewels. Most companies, however, will never face a catastrophic event involving an outside, malicious attack on the very core of their business.

Instead, consider the following scenarios:

An employee erroneously distributes the social security numbers and other personal information of every employee in the company;

A customer’s email is hacked, resulting in your company receiving a fraudulent - but authentic-looking - set of instructions to wire payment to a specific bank account. The money disappears as soon as it hits the fake account; and

Someone (unclear whether internal or external) gets into your company HR system and cracks several accounts, changing employee direct deposit information and locking employees out of their email.

I've gotten calls about each of these three situations just this week.

What would you do if this were your company? None of these is a catastrophic event, but every one of them involves disruption, investigation, acrimony, and significant amounts of time and money to resolve.

For a company that lacks the resources of Equifax, a seemingly small event like this could become catastrophic: your insurance might not pay; your customers might walk; your bank account might be compromised. On a smaller but still disruptive scale, you could become mired in reactive work (investigation, legal follow-up, relationship repair with customers and employees, HR actions) for weeks or even months.

Now think about a “minor” event like this, but where the information compromised is your company's core asset. That really would be catastrophic. And the plain truth is that these “minor” events are often preventable, or at least there is advance planning that could mitigate their impact. This is in plain contrast to the Equifax situation, where advance planning may or may not be enough to protect the plum assets of a high-value target from sophisticated actors.

Cyber and information security planning are not a purely defensive play. Investing in and planning for the security of your corporate assets – whether the company’s “secret sauce” or not – is a key offensive move for any organization.

If you're a growing company, investing in the integrity of your assets helps establish your value to potential buyers and investors.

If you're already at scale, planning and investment helps maintain it by allowing you to distribute and spend your profits for the benefit of your shareholders and your operations, rather than on reactive clean-up.

The legal exposure issues of a breach are real, but avoiding legal risk is not the primary result of planning done right.

According to a new survey by insurer Nationwide, almost half of all businesses have been the victim of a cyberattack without knowing it.

Most of the headlines about cyber exposure and planning focus on the need to avoid exposure to consumer claims. This neglects the real purpose of cyber planning for most companies, however: protecting your revenue and securing your growth.

Many businesses don’t have a lot of “personally identifiable information” on file, and the penalties associated with losing control over that information are generally not large (outside healthcare, financial services, and similar industries). With those facts in front of you, it can be hard to justify spending scarce resources on a defensive plan.

However, your own business assets and your own growth/succession are at risk no matter what kinds of records you hold in your company. The time and money you spend on developing and practicing good cyber habits is priceless when you think about your IP, your trade secrets, your pricing, your “secret sauce” getting out via a hacker. Bad guys troll for valuable information all the time, and often sell batches of information via online black markets. This has nothing to do with the headline grabbing consumer suits that garner all the attention.

How would you value your business in a sale if you knew you’d been the victim of a cyberattack and couldn’t demonstrate that your core assets remained secure? How would you talk to your investors or your board following an attack? What would you want to know about a target’s cyber habits before buying its business?

These are the questions that should be driving our discussion of cybersecurity planning. #cyberforgrowth – not cybersecurity as a means to fend off rare (and rarely successful) consumer claims.

The new Administration may stand for regulatory rollback in many areas, but consumer privacy is (so far) not one. Trump's Federal Trade Commission (FTC) is pursuing a router manufacturer whose equipment hasn't caused any consumer harm yet: no data leaks, no identity fraud, no damages. Companies hoping to escape scrutiny under a relaxed privacy watchdog should consider themselves on notice.

As a best practice, it is a good idea to review your privacy policies and the marketing of your services or goods. Any claims you make about security and privacy of consumer data are fair game for scrutiny and investigation. The FTC so far has been unchecked by the courts, and this router case signals that the agency intends to continue vigorous enforcement—even under an anti-regulatory President.

Tax season brings with it many headaches. For the last couple of years, W2-related phishing scams have been among them. Cyberthieves may send email to HR or financial personnel that looks like it comes from a senior executive. The email may ask for copies of W2s for all employees. The scam used to be targeted to corporations only, but is now hitting school systems and non-profits as well.

As part of its cyber risk planning measures, any organization would be well served to have training and policies in place regarding how to respond to emails asking for this kind of information. In addition, no organization should be sending documents such as W2s by unsecured email.

Employee awareness is one of the biggest and best defenses to this kind of scam: knowing that the company policy is never to send such sensitive information in the clear, no matter who asks, can go a long way to preventing problems. A timely reminder during tax season is a good idea, as is revisiting the organization's cyber plan overall at regular intervals.

In a case of first impression, the Eleventh Circuit has held that an employer need not show an interruption of service to prove actionable harm under the Computer Fraud and Abuse Act (CFAA) and other federal laws. This is good news for employers and potentially for others who suffer computer intrusions.

Yahoo has (not surprisingly) been hit with multiple consumer class action claims relating to its massive data breach. It is unclear exactly when Yahoo uncovered the 2014 breach; news reports characterize the find as "recent." Yahoo also has said that it is cooperating with law enforcement, which could help offset any issues tied to a delay of announcement.